A little newbie General Guidance needed

jwillard · January 30, 2021, 5:42pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
oac-inc.com, swscenics.com

I ran this command:
certbot certonly --webroot

It produced this output:

Waiting for verification...
←[31mChallenge failed for domain oac-inc.com←[0m
←[31mChallenge failed for domain swscenics.com←[0m
http-01 challenge for oac-inc.com
http-01 challenge for swscenics.com
Cleaning up challenges
←[31mSome challenges have failed.←[0m
←[1m
IMPORTANT NOTES:
←[0m - The following errors were reported by the server:

   Domain: oac-inc.com
   Type:   unauthorized
   Detail: Invalid response from
   http://oac-inc.com/.well-known/acme-challenge/Hm_0f1vY3mbXgdhSeglBPTyr5TexGSK
xeMwioDiKPwA
   [204.98.120.165]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html
   xmlns=\"http"

   Domain: swscenics.com
   Type:   unauthorized
   Detail: Invalid response from
   http://swscenics.com/.well-known/acme-challenge/28xSBdpHLNqwUCxi51KuVvSKAdiZF
-0-A_jSS_vlXRI
   [204.98.120.165]: "<!DOCTYPE html>\r\n<html
   lang=\"en-US\">\r\n<head id=\"Head\"><meta content=\"text/html;
   charset=UTF-8\" http-equiv=\"Content-Type\" /><tit"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
IIS

The operating system my web server runs on is (include version):
Windows Server 2008 R2

My hosting provider, if applicable, is:
Self Hosted, DNS as well

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

jwillard · January 30, 2021, 5:42pm

My overall architecture is a single Windows 2008 server, running 2 VM's. One VM is the mail server, the other is the Web Server. They are all on the same IP with routing at the firewall by protocol
The web server is presently running the OAC-Inc.com site as an old school standard HTML site. The SWScenics.com site is running on a content management system, DotNetNuke. They are all running with Host Header bindings. The "Default" (by IP) site is running but empty.
The Mail server is an Exchange 2007 server.
I've been somewhat overwhelmed with all the info I've found on this and I haven't been able to sort it all out to my situation.

sahsanu · January 30, 2021, 5:51pm

Hello @jwillard,

Maybe your web server is not serving extensionless files (like the ones that must be used to validate the http challenge).

You could try to test it yourself creating a couple of files inside your webroot paths and checking them with your browser:

Example if your webroot is c:\www\

C:\www\.well-known\acme-challenge\test
C:\www\.well-known\acme-challenge\test.txt

If you can reach the test.txt file using your browser but you can't reach the first one, create a web.config file at C:\www\.well-known\acme-challenge\web.config to allow extensionless files in IIS:

Note: Remember that path C:\www is just an example, you must use the ones used by your domains.

<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension=".*" mimeType="text/plain" />
         </staticContent>
     </system.webServer>
 </configuration>

Cheers,
sahsanu

jwillard · February 1, 2021, 4:56pm

Hi Sahsanu,
This morning I tried your suggestion and failed from the outset. I went to my c:/wwwroot folder and tried to create a folder named ".well-known" and immediately got an error "You must provide a file name". I'm a Windows guy and was pretty sure you can't create a folder leading with a dot.

Would creating a directory call Well-Known and then hiding it be the same thing?
Jeff

sahsanu · February 1, 2021, 5:16pm

I'm a GNU/Linux guy and I'm pretty sure you can create a folder leading with a dot in Windows just use the command line instead of File Explorer.

mkdir .well-known

jwillard · February 1, 2021, 6:50pm

I've always wanted to learn Linux but paying work keeps interring. sigh....
OK, most of that all worked. the Web.config didn't seem to work properly, but I was able to accomplish the same thing in IIS manager. I can reach both "test" and "Test.txt" both locally and remotely.
I reran certbot and it worked and created the certificate for our main site OAC-INC.com, However it did not work for the SWScenics.com domain. That one is running under a content management system so I believe I need to fool around with the folder pathing a little more.
I think I'm getting smarter with your help and beginning to figure this out.
Thanks
Jeff

system · March 3, 2021, 6:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.